Rust 2018 All Hands Unsafe Code Guidelines
Two day’s conversation

Tuesday
Thursday

Agenda


  • Ralf’s model and lessons there
  • Reviewing ACA model
  • Rough draft for valgrind tool
  • Making a plan

Continuation from Y’all Hands Discussion

Ralf’s model

  • Last summer Ralf prototyped this
  • Links to blog posts:
  • TBD
  • Found a bunch of problems within the MIR test suite

  • Key question: given a function that takes a reference it doesn’t use
fn foo(x: &u32) { }
  • Does this have any effect on things it doesn’t use?
  • Validity based: yes
  • Accessed based: no
  • This effects the sorts of optimizations you can do
  • However, validity in Rust is somewhat temporal. References stop being valid when their lifetime ends. Therefore, validity models tend to give significance to the point where a borrow ends, which is undesirable.
  • Goal: Model doesn’t care about lifetimes
  • Rough details:
  • at beginning of fn, you go over all your arguments and check that they are valid
  • a reference must point to allocated, valid memory 
  • mutable references cannot overlap with other things
  • no “type-based alias analysis”, so &f32 and &i32  could overlap etc

Some problems encountered:

  • UnsafeCell::get_mut — creates a 
  • most of the problems have to do with &mut → *mut
  • Arc invokes Layout::for_value with a &T where the T has been dropped
  • this comes back to the access question — Layout::for_value doesn’t use the size information
  • Related issues:
  • mem::forget
  • size_of_val
  • Interesting question:
  • *mut Trait — must metadata be valid?
  • consider *mut Thin<Trait>

Access vs Validity